BIMI Root and Subdomain Sender Configuration Scenario: Gmail Confirmation Pattern
This scenario covers how a regulated-industry sender configured BIMI records for both a root domain and an active sending subdomain, and what DNS structure is required to support BIMI evaluation on messages sent from subdomains.
To safeguard client confidentiality, this scenario is adapted from a real VMCCerts technical support case but has been fully anonymized. All brand names, proprietary domains, and unique cryptographic strings have been altered or omitted. The underlying technical challenges and VMC/BIMI validation solutions remain 100% authentic.
Scenario Snapshot
| Organization type | Regulated-industry sender using both a root domain and a subdomain for outbound email |
|---|---|
| Industry category | Financial services / insurance |
| Goal | Deploy BIMI across both the root domain and active sending subdomain to display the verified logo in Gmail |
| Starting point | VMC issued for the root domain; sender also sends from a subdomain and needed to understand whether a separate BIMI record was required |
| Main blocker | Uncertainty about whether the root domain BIMI record would cover the subdomain, or whether a separate BIMI TXT record was needed for the subdomain |
| Certificate path | Sectigo Verified Mark Certificate |
| VMCCerts guidance | Root vs subdomain BIMI record structure, subdomain DNS setup, Gmail evaluation behavior explanation |
| Outcome | Both root domain and subdomain BIMI records published; Gmail logo display confirmed after setup |
| Best lesson | A BIMI record on the root domain does not automatically cover sending subdomains — a separate record is required for each subdomain that sends mail |
The Starting Point
The organization had a VMC issued and a BIMI record published on the root domain. Outbound marketing and transactional emails were also sent from a subdomain, and the sender wanted to know whether a second BIMI record on the subdomain was needed or whether the root-domain record would apply automatically to messages sent from the subdomain.
The Implementation Challenge
BIMI evaluation by Gmail and other mailbox providers is based on the domain in the email’s From address. When a message is sent from a subdomain, Gmail queries the BIMI record at default._bimi.subdomain.example.com, not at default._bimi.example.com. A root-domain BIMI record does not automatically cascade to subdomains for BIMI purposes — each sending subdomain needs its own BIMI TXT record pointing to the hosted logo and certificate files. It helps to confirm exactly where each BIMI TXT record needs to be published before adding a subdomain record.
# Root domain BIMI record — covers mail sent from root domain only default._bimi.example.com TXT "v=BIMI1; l=https://…/logo.svg; a=https://…/cert.pem" # Subdomain BIMI record — required for mail sent from mail.example.com default._bimi.mail.example.com TXT "v=BIMI1; l=https://…/logo.svg; a=https://…/cert.pem" # Both records can point to the same hosted logo and certificate files
How VMCCerts Guided the Process
VMCCerts explained the Gmail BIMI evaluation lookup behavior for subdomains, confirmed that a separate BIMI TXT record was required on the subdomain, and provided the exact DNS record format for the subdomain. Both records — root domain and subdomain — were configured to point to the same hosted logo SVG and certificate PEM files, which is acceptable when the same certificate covers the sending identity. VMCCerts also confirmed DMARC enforcement on both the root domain and subdomain before the second record was published, and verified that the issued VMC covered every sending identity in use across both domains.
The Outcome or Clarified Path
Both BIMI records were published and DMARC enforcement was confirmed on both the root domain and subdomain. Gmail logo display was confirmed after the subdomain record was in place. The deployment confirmed that both the root domain and subdomain show the same verified brand logo in Gmail for recipients receiving messages from either address. Reviewing how Gmail evaluates each sending domain’s BIMI record independently helps explain why both records were needed.
What Similar Brands Can Learn
- A root-domain BIMI record does not cascade to sending subdomains — each subdomain that sends mail needs its own BIMI TXT record.
- BIMI evaluation is based on the From address domain — Gmail queries the BIMI record for the exact domain or subdomain in the From field.
- Both root-domain and subdomain BIMI records can reference the same hosted logo and certificate files when the certificate covers the organization’s sending identity.
- DMARC enforcement must be confirmed at the subdomain level as well as the root domain before the subdomain BIMI record is published.
- Senders using subdomains for transactional or marketing mail should confirm BIMI DNS coverage for each active sending subdomain.
When to Contact VMCCerts
If you send email from both a root domain and one or more subdomains and want BIMI logo display across all sending addresses, contact VMCCerts to confirm the DNS record structure required for each sending subdomain. Senders can get that subdomain review directly from a BIMI implementation specialist.